Under DDoS Attack?

We Stop DDoS Attacks In Minutes.

(htps/:www.r3netc.om) Call Us Now And Get Help Quickly!

Whitefield Property Expo

Grab the Best Deals on New Projects in
Whitefield. Limited Time Offers!

Home (/)  Articles (/Articles.html)  Firewalls  Check Point (/Firewalls/Check-Point/)

 Check Point Logging Troubleshooting Guide

Check Point Logging Troubleshooting Guide

Written on 25 January 2010. Posted in Check Point (/Firewalls/Check-Point/)

Below are some basic guidelines for troubleshooting Check Point Logging issues.

Please note : This guide does not cover issues with any OPSEC LEA based issues.
Please note : The FWD (Firewall Daemon) is responsible for sending and receiving the Check Point Logs on port tcp/257.

Are the logs being sent to the manager ?

Ok, so rst of all are the logs being sent to the Smart Centre Manager or the necessary Log Manager ? We can check this by
con rming whether the gateway is sending the log packets via the FW Log port tcp/257 upon the gateway and the manager. To do
this use either or both of the following commands,

netstat -an | grep 257 - This will show the state of the TCP sockets.
tcpdump -ni [interface name] port 257 - This will show a packet capture of the FW Log packets on the subsequent interface.

If the gateway is not sending the logs then this can be down to one of the following issues,

1. SIC is not established.

2. The Logging con guration for the Gateway is not con gured correctly.
3. The SmartCentre/Log Manager is not listening on port tcp/257.
4. There is an issue with FWD on the gateway. In some instances you may need to restart FWD via a cpstart. Though the root
cause could be down to a number of factors.

The SmartCentre / Log Manager is not receiving the logs

If the gateway is sending the logs but the SmartCentre / Log Manager is not receiving them then either a device between the 2
nodes is blocking the packets or there is a routing issue.

Why are the logs not being displayed within SmartView tracker ?

Ok so the manager is receiving the logs but you may still not see them within the SmartView tracker this will be down to either the
FWD (Firewall Daemon) or the log les being corrupted.

Log Files Corrupted

If the log les are corrupted you should expect to see no logs within the SmartView Tracker. If this is the case you will need to
action the following steps :

1. Close the Log Viewer/SmartView Tracker and Policy Editor/SmartDashboard.

2. Execute the fwstop or cpstop command (depending on the version) from the command line.
3. Remove all les starting with fw.log and fw.logptr from the $FWDIR\log directory.
4. Execute the fwstart or cpstart (depending on the version) command.

Full details can be found at Check Points KB within Solution ID sk6432.

Only some of the logs are not being displayed

If only some of the logs are not being displayed then this could point to an issue with the trust between the manager and the
gateway.
To con rm the issue you will need to debug FWD using the following steps.

root@cp-mgnt# fw debug fwd on TDERROR_ALL_ALL=5

root@cp-mgnt# tail -f $FWDIR/log/fwd.elg
root@cp-mgnt# tail -f $FWDIR/log/fwd.elg | grep -i "Certificate is revoked"
root@cp-mgnt# fw debug fwd off

Within these steps we rst enable the debug. Then we run a live tail on the log le. And then we run a grep on the live tail for a
speci c error. The live tail allows us to view the end of the log le in real time. We nally turn o the debug.

Below shows an example of an error with the SIC trust between the Gateway and Manager obtained from the $FWDIR/log/fwd.elg,

[FWD 2177 1]@cp-mgnt[22 Jan 14:47:32] fwCert_ValCerts: Certificate is revoked. CN=cp-fw1,O=cp-mgnt..bizt7z

[FWD 2177 1]@cp-mgnt[22 Jan 14:47:41] fwCert_ValCerts: Certificate is revoked. CN=cp-fw2,O=cp-mgnt..bizt7z

In this instance resetting SIC (/Firewalls/Checkpoint/checkpoint-how-to-reset-sic.html)would resolve this issue.

back to
top

L ATEST ARTICLES

Python - Create a Dictonary using List Items as Keys (/Programming/Python/python-create-a-dictonary-using-list-items-as-

keys.html)

HTTP Caching - HTTP 1.0 vs HTTP 1.1 (/Networking/Protocolshttp-caching-http-1-0-vs-http-1-1.html)

How do I Export and Import a MySQL Database ? (/Databases/MySQL/how-do-i-export-and-import-a-mysql-database.html)

Con guring IPv6 on a Juniper SRX (/Firewalls/Juniper/ipv6-con guration-on-a-juniper-srx.html)

BIGIP F5 - How to check the Serial Cable via TMSH/Bigpipe (/Loadbalancers/F5-BIG-IP/f5-v11-cable-check.html)

GTM - Healthcheck Monitor Connections not being Established (/Loadbalancers/F5-BIG-IP/gtm-monitor-connections-not-being-

established.html)

Con guring EtherChannel on an ASA Firewall (/Firewalls/Cisco/con guring-etherchannel-on-an-asa- rewall.html)

Mitigating Poodle on the Brocade ADX (/Loadbalancers/Brocade/mitigating-poodle-on-the-brocade-adx.html)

How to Build a TCP Connection in Scapy (/Programming/Python/how-to-build-a-tcp-connection-in-scapy.html)

Mitigating Network Attacks on the Juniper SRX (/Firewalls/Juniper/srx-screen.html)

POPUL AR ARTICLES

Check Point Commands (/Firewalls/Check-Point/checkpoint-commands.html)

Proxy ARP – SPLAT (/Firewalls/Check-Point/proxy-arp-splat.html)

IPSO - Commands (/Firewalls/Check-Point/ipso-commands.html)

How to set the Time / Date and Timezone in CentOS (/UNIX/Linux/how-to-set-the-time-date-and-timezone-in-centos.html)

ASA 8.3 - Auto NAT Examples (/Firewalls/Cisco/how-to-con gure-nat-of-asa-83.html)

Con guring Windows 2008 R2 as an NTP Server (/Microsoft/General/con guring-windows-2008-r2-as-an-ntp-server.html)

vSphere - Creating User and Group Permissions (/Virtualization/VMware/vsphere-assigning-a-user-per-virtual-machine.html)

Juniper Netscreen Commands (/Firewalls/Juniper/juniper-commands.html)

VI shows the error Terminal too wide within Solaris (/UNIX/Solaris/vi-shows-the-error-terminal-too-wide-within-solaris.html)

Con guring Wireless Connectivity within Backtrack 4 r2 (/UNIX/Linux/con guring-a-wireless-connection-within-backtrack-4-r2.html)


(http://www.fir3net.com/all-
  content-
(http://www.twitter.com/f3lix001)
(https://plus.google.com/b/116663132291058367261/116
rss.html)

About (/Site/about- r3net.html) Sitemap (/sitemap.html) Status (http://monitor. r3net.com) Login (/Log-in.html)

Built with HTML5 and CSS3

Secured by Incapsula (http://www.incapsula.com)